4 Script that takes a file (output by wireshark/tshark, in JSON format) and analyze
5 the packet inter-arrival times of a certain device at a certain time.
11 from collections import defaultdict
12 from dateutil import parser
15 JSON_KEY_SOURCE = "_source"
16 JSON_KEY_LAYERS = "layers"
19 JSON_KEY_ETH_DST = "eth.dst"
20 JSON_KEY_ETH_SRC = "eth.src"
21 JSON_KEY_FRAME = "frame"
22 JSON_KEY_FRAME_TIME = "frame.time_epoch"
23 TABLE_HEADER_X = "Packet number"
24 TABLE_HEADER_Y = "Time (seconds)"
25 INCOMING_APPENDIX = "_incoming"
26 OUTGOING_APPENDIX = "_outgoing"
27 FILE_APPENDIX = ".dat"
30 def save_to_file(tblheader, timestamp_list, filenameout):
31 """ Show summary of statistics of PCAP file
33 tblheader: header for the saved table
34 dictionary: dictionary to be saved
35 filename_out: file name to save
37 # Appending, not overwriting!
38 f = open(filenameout, 'a')
39 # Write the table header
40 f.write("# " + tblheader + "\n")
41 f.write("# " + TABLE_HEADER_X + " " + TABLE_HEADER_Y + "\n")
42 # Write "0 0" if dictionary is empty
43 if not timestamp_list:
46 print "Writing zeroes to file: ", filenameout
49 # Iterate over list and write index-value pairs
50 for val in timestamp_list:
52 f.write(str(ind) + " " + str(timestamp_list[ind]) + "\n")
55 print "Writing output to file: ", filenameout
62 print "Usage: python", sys.argv[0], "<input_file> <output_file> <device_name> <mac_address>"
64 # Parse the file for the specified MAC address
65 timestamplist_incoming = parse_json(sys.argv[1], sys.argv[4])
66 # Write statistics into file
67 print "====================================================================="
68 print "==> Analyzing incoming traffic ..."
69 save_to_file(sys.argv[3] + INCOMING_APPENDIX, timestamplist_incoming, sys.argv[2] + INCOMING_APPENDIX + FILE_APPENDIX)
70 print "====================================================================="
71 #print "==> Analyzing outgoing traffic ..."
72 #save_to_file(sys.argv[3] + OUTGOING_APPENDIX, timestamplist_outgoing, sys.argv[2] + OUTGOING_APPENDIX + FILE_APPENDIX)
73 #print "====================================================================="
76 # Convert JSON file containing DNS traffic to a map in which a hostname points to its set of associated IPs.
77 def parse_json(filepath, macaddress):
78 """ Show summary of statistics of PCAP file
80 filepath: path of the read file
81 macaddress: MAC address of a device to analyze
83 # Maps timestamps to frequencies of packets
84 timestamplist = list()
85 with open(filepath) as jf:
87 # data becomes reference to root JSON object (or in our case json array)
89 # Loop through json objects in data
90 # Each entry is a pcap entry (request/response (packet) and associated metadata)
91 # Preserve two pointers prev and curr to iterate over the timestamps
95 # p is a JSON object, not an index
96 layers = p[JSON_KEY_SOURCE][JSON_KEY_LAYERS]
98 frame = layers.get(JSON_KEY_FRAME, None)
99 timestamp = Decimal(frame.get(JSON_KEY_FRAME_TIME, None))
100 # Get into the Ethernet address part
101 eth = layers.get(JSON_KEY_ETH, None)
102 # Skip any non DNS traffic
104 print "[ WARNING: Packet has no ethernet address! ]"
106 # Get source and destination MAC addresses
107 src = eth.get(JSON_KEY_ETH_SRC, None)
108 dst = eth.get(JSON_KEY_ETH_DST, None)
109 # Get and count the traffic for the specified MAC address
110 if dst == macaddress:
111 # Check if timestamp already exists in the map
112 # If yes, then just increment the frequency value...
113 print str(timestamp) + " - src:" + str(src) + " - dest:" + str(dst)
116 inter_arrival_time = curr - prev
117 timestamplist.append(inter_arrival_time)
123 if __name__ == '__main__':